Checking Legality of Online Platforms Operating in the Philippines

A practical legal article for founders, compliance teams, counsel, investors, creators, and users

1) What “legal to operate” means in the Philippines

In the Philippine context, an online platform is “legal to operate” when it is:

  1. Properly constituted to do business (as a Philippine entity or a registered foreign entity), and
  2. Properly permitted (local permits + tax registration), and
  3. Properly licensed/authorized for any regulated activity it performs (e.g., payments, lending, securities, gambling, telecom), and
  4. Compliant with cross-cutting rules (data privacy, consumer protection, cybersecurity, advertising, taxation, AML/KYC where applicable), and
  5. Not engaged in prohibited conduct (scams, unlawful gambling, unregistered securities offerings, illegal lending practices, etc.).

A platform can be “registered” but still illegal if it operates a regulated service without the right license. Conversely, a platform can be “licensed” for one activity but still be noncompliant if it violates consumer or privacy rules.

2) The regulatory map: who polices what

Legality checks in the Philippines usually involve multiple agencies. The most common:

Corporate existence / business authority

  • SEC (Securities and Exchange Commission): corporations, partnerships, foreign entities doing business; also enforces the Securities Regulation Code (SRC) on securities offerings and certain investment schemes.
  • DTI (Department of Trade and Industry): sole proprietorship name registration; e-commerce policy; consumer-related functions (often together with other agencies).
  • LGU (City/Municipal Hall): mayor’s/business permit, barangay clearance, local fees.

Taxes and invoicing

  • BIR (Bureau of Internal Revenue): tax registration, receipts/invoices, withholding, VAT/percentage tax, e-commerce-related compliance.

Consumer protection / fair trade

  • DTI (for many consumer goods/services and online selling rules)
  • Various sector regulators (e.g., BSP for financial consumer protection where applicable)

Data privacy

  • NPC (National Privacy Commission): Data Privacy Act compliance, breach reporting, complaints.

Cybercrime / unlawful online activity

  • PNP Anti-Cybercrime Group / NBI Cybercrime Division: investigation and enforcement.
  • Courts apply the Cybercrime Prevention Act, Revised Penal Code offenses, special laws.

Financial services (highly regulated)

  • BSP (Bangko Sentral ng Pilipinas): banks, e-money issuers, payment system operators, money service businesses/remittance; operational and cybersecurity expectations for supervised entities.
  • SEC: securities and investments (shares, investment contracts, tokens that qualify as securities, “investment solicitation,” etc.).
  • IC (Insurance Commission): insurance and pre-need, including online distribution in some cases.
  • CDA (Cooperative Development Authority): if the platform is tied to cooperatives.

Gambling

  • PAGCOR (Philippine Amusement and Gaming Corporation): many gambling operations (scope depends on product).
  • PCSO: lottery-related. Online gambling questions are extremely sensitive and fact-specific; licensing status and current policy direction matter.

Telecom / connectivity

  • NTC (National Telecommunications Commission): telco and spectrum-related regulation; value-added services in certain contexts.

Content / media / advertising

  • Ad standards (self-regulatory bodies), sector rules (e.g., FDA for health products), and consumer law generally.
  • Special rules apply to particular content (e.g., child protection laws, anti-voyeurism, anti-trafficking).

3) The baseline compliance stack (almost every platform needs these)

Even if your platform is “just an app/website,” these baseline items are usually expected:

A. Business registration & local permits

If operating a business in the Philippines (especially if earning from Philippine users), the platform typically needs:

  • Entity registration (SEC for corporation/partnership; DTI for sole prop).
  • LGU permits (barangay clearance, mayor’s permit, occupancy/fire as applicable).
  • BIR registration (tax type, authority to print or e-invoicing setup, books of accounts, withholding, VAT/percentage tax where relevant).

Common misconception: “We’re online so we don’t need a business permit.” If you have offices, staff, or ongoing commercial activity locally, local permits are commonly required.

B. Consumer protection & e-commerce rules

Philippine consumer law principles usually require:

  • Truthful advertising and product/service descriptions
  • Clear pricing, fees, subscription terms, and cancellation/refund policies
  • Delivery and fulfillment transparency
  • Accessible customer support / complaint handling
  • No unfair or unconscionable contract terms

For marketplaces, add: seller verification, takedown procedures, handling counterfeit reports, and dispute resolution.

C. Data Privacy Act (DPA) compliance (Republic Act No. 10173)

If the platform collects or processes personal data of individuals in the Philippines (names, emails, phone numbers, IDs, biometrics, location, device identifiers tied to a person, etc.), it generally must:

  • Have a lawful basis (consent is only one basis; contracts/legal obligations may apply depending on the context).
  • Provide a Privacy Notice that is clear and specific.
  • Implement reasonable and appropriate security measures (organizational, physical, technical).
  • Have vendor/processor contracts and control cross-border processing properly.
  • Enable data subject rights processes (access, correction, objection, deletion where applicable).
  • Maintain breach response readiness and notify authorities/affected individuals when required by rules.

Practical tip: A privacy policy copied from another jurisdiction is often noncompliant; Philippine expectations emphasize transparency, proportionality, and security.

D. Cybersecurity & platform integrity

While not every platform is “critical information infrastructure,” most will be expected (by users, regulators, and counterparties) to implement:

  • Secure authentication, anti-fraud controls, logging and monitoring
  • Incident response plan
  • Regular vulnerability management
  • Strong controls around payment flows and account takeovers

If you handle payments or financial data, security expectations rise sharply.

E. IP, content, and moderation

Platforms often need:

  • IP policy (copyright takedown workflow, trademark complaint handling)
  • Terms prohibiting illegal content
  • Procedures for reports and removals, especially for scams, exploitation, and impersonation

4) The “regulated activity” triggers (where legality often fails)

Most platforms become legally risky when they cross into a regulated domain without realizing it.

4.1 Payments, wallets, remittance, and “moving money” (BSP)

You may be in BSP territory if your platform:

  • Stores value for users (wallets/e-money)
  • Facilitates cash-in/cash-out
  • Transfers funds between users
  • Does remittances or foreign exchange features
  • Operates as a payment gateway/processor in certain structures
  • Aggregates merchants and settles payments

What “legal” usually requires: appropriate BSP registration/license (depending on exact model), compliance with AML obligations if covered, consumer protection standards, and cybersecurity controls.

Red flag: “We just call it ‘credits’” or “points” but users can cash out, transfer, or redeem widely—this can look like stored value.

4.2 Lending, “salary loans,” BNPL, and credit facilitation

You may be regulated if you:

  • Lend directly to the public
  • Broker loans or match borrowers/lenders
  • Collect loan repayments and fees
  • Offer BNPL or installment products

Philippine regulation may involve combinations of:

  • SEC (for lending companies and financing companies, and related rules),
  • BSP (if tied to banks/e-money),
  • Consumer and fair lending principles, plus privacy and collections standards.

Red flags:

  • Very high effective interest/fees without transparent disclosure
  • Aggressive or harassing collection practices
  • Public shaming / contact-list scraping (also a privacy issue)

4.3 Investments, trading platforms, “guaranteed returns,” and tokens (SEC)

You may be dealing with securities if you:

  • Offer shares, notes, “investment contracts,” pooled investments
  • Promise profits primarily from the efforts of others
  • Market “guaranteed returns,” “passive income,” or profit-sharing
  • Run copy-trading or fund-like products
  • Offer tokens that function like investment contracts

What “legal” usually requires: registration or exemption for the offering, and potentially licensing for persons/entities engaged in brokerage/dealing/salesman functions. The SEC is aggressive against unregistered solicitations and investment scams.

Red flag: “It’s not a security—it’s a membership” while you market ROI.

4.4 Gambling, betting, games of chance, and prize mechanics

If your platform involves wagering, house-banked games, betting on events, online casinos, or similar, you are likely in highly regulated territory. “Promos” that are effectively lotteries can also trigger rules.

What “legal” usually requires: a valid license from the proper authority for the particular product and audience, plus strict controls (age, geolocation, AML where applicable). This space is very fact-sensitive.

4.5 Telecom/value-added services (NTC)

Platforms that provide certain communications services, integrate with SMS aggregators, or operate services resembling telecom/VAS may face NTC rules—especially when the business model resembles a communications carrier or VAS provider rather than a typical internet app.

4.6 Health, medicines, food, cosmetics, and devices (FDA and others)

If you sell or facilitate sales of regulated products (medicines, supplements, medical devices, cosmetics, processed food), you must consider:

  • licensing of sellers, product registration/notifications, advertising restrictions, and platform responsibility for takedowns.

4.7 Employment, recruitment, and migration

Job platforms can trigger obligations on fair recruitment, anti-scam compliance, and potentially POEA/DMW-related issues if overseas employment is involved.

5) Cross-border platforms: when foreign companies “do business” in the Philippines

A foreign platform can have Philippine users without necessarily being required to incorporate locally. But registration risk rises when the platform has continuity of commercial dealings in the Philippines such as:

  • a Philippine office, employees, or agents with authority
  • localized operations (local contracting entity, local billing, local customer support center)
  • targeted marketing plus local fulfillment infrastructure
  • repeated transactions that resemble doing business rather than incidental sales

Foreign ownership restrictions may apply in specific industries (telecom, mass media, certain public utilities, and other constitutionally or statutorily restricted activities). Even if a platform is “tech,” the underlying regulated activity matters.

6) A practical legality checklist (what to verify, step-by-step)

This is how diligence is commonly done in the Philippines.

Step 1: Identify the exact business model and money flow

Write down:

  • Who pays whom?
  • Where is money held?
  • Can users withdraw?
  • Who sets prices?
  • Who bears risk (fraud, chargebacks, delivery)?
  • Any profit promises?
  • Any wagering?
  • Any regulated goods?

Most licensing decisions follow from this map.

Step 2: Verify entity and authority to operate

For Philippine entities:

  • SEC/DTI registration exists and matches the brand/operator
  • Secondary licenses (if applicable) are in place (e.g., lending, financing)
  • BIR registration and invoicing/receipting ability
  • LGU permits for principal office locations

For foreign entities:

  • Whether the platform has registered to do business (branch/ROHQ or other forms) or operates via a local subsidiary/partner
  • Whether the on-the-ground activities amount to “doing business”

Step 3: Check regulated activity licenses (if any)

  • BSP licenses/registrations (payments, e-money, MSB, etc.)
  • SEC registrations (securities offering approvals, broker/dealer, investment house, crowdfunding if applicable; anti-scam enforcement risk if absent)
  • PAGCOR/PCSO and related approvals (if gambling/prize mechanics)
  • IC approvals (insurance distribution)
  • FDA/other product authorizations (regulated goods)

Step 4: Review platform legal documents and consumer disclosures

  • Terms of Service (clear fees, dispute rules, liability limits that are not unconscionable)
  • Privacy Notice / Cookie Notice
  • Refund/cancellation policy
  • Seller/merchant policies for marketplaces
  • Complaint channels and timelines

Step 5: Data privacy and security readiness

  • Data inventory (what personal data, why, where stored, retention)
  • Processor agreements (cloud, analytics, CRM, payment processors)
  • Breach response and logging
  • Consent/notice flows

Step 6: AML/KYC (if your model is covered)

If you touch funds, exchange value, or enable transfers, analyze AML coverage and implement:

  • identity verification proportionate to risk
  • monitoring and suspicious transaction reporting workflows (if covered)
  • sanctions screening where appropriate
  • controls against mule accounts and fraud

Step 7: Tax and invoicing compliance

Common issues:

  • VAT/percentage tax classification
  • Withholding obligations on payments to suppliers/creators
  • Permanent establishment questions for foreign entities
  • Proper receipts/invoices for subscriptions, platform fees, commissions

Step 8: Advertising and content compliance

  • Avoid deceptive claims and hidden fees
  • Special care for financial claims (“guaranteed returns,” “risk-free”)
  • Rules around promotions and prize-based campaigns
  • Content moderation for scams/illegal sales

7) How to assess legality as a user (quick red flags)

If you’re evaluating a platform you might use or invest in, common warning signs include:

  • Promises of guaranteed high returns with vague explanations
  • “Investment” product with no clear SEC registration/exemption explanation
  • A wallet/transfer feature with no transparent operator identity
  • No Philippine contact details, no dispute channel, no transparent fees
  • Aggressive lending/collections behavior or unexplained access to contacts
  • Unclear terms, “we can change anything anytime” clauses without safeguards
  • Evidence of fake reviews, impersonation, or persistent scam reports
  • Requests for excessive permissions unrelated to service (contacts/SMS/location)
  • Unexplained cash-out methods, use of personal accounts, or “send to this GCash number”

8) Common myths that cause platforms to break the law

  1. “We’re just a tech platform.” Regulators look at the activity, not the label.
  2. “We don’t hold money; we just facilitate.” Facilitation can still be regulated.
  3. “We’ll register later once we scale.” Operating first can trigger enforcement.
  4. “A privacy policy is enough.” You need actual security measures and governance.
  5. “Crypto/tokens are unregulated.” Securities and consumer laws can still apply.
  6. “We’re offshore so PH laws don’t apply.” PH laws can apply where PH users and harmful effects exist, and local partners can be liable.

9) Enforcement realities in the Philippines

Enforcement can come from:

  • Administrative actions (cease and desist, fines, registration revocation)
  • Criminal complaints (estafa, cybercrime-related offenses, special law violations)
  • Civil suits (consumer claims, damages, injunctions)
  • Platform/partner de-risking (banks, payment processors, app stores removing access)

Often, the most immediate “enforcement” is commercial: PSPs, banks, or app marketplaces cut off a platform when compliance is unclear.

10) A model “legality memo” outline (what professionals typically write)

If you want to document legality in a Philippine-ready way, structure it like this:

  1. Executive summary (what the platform does; whether it’s permitted; licensing needs)
  2. Business model diagram (roles, money flow, custody, counterparties)
  3. Entity status (SEC/DTI/BIR/LGU; foreign presence analysis)
  4. Regulatory classification (payments/lending/securities/gambling/etc.)
  5. Licenses and registrations (status, gaps, remediation plan)
  6. Consumer compliance (disclosures, subscriptions, refunds, dispute handling)
  7. Data privacy (DPA basis, notices, security controls, processor contracts)
  8. AML/KYC (coverage assessment, controls if covered)
  9. Tax (revenue characterization, withholding, VAT/PT, invoicing)
  10. Risk register (highest risks, enforcement likelihood, timeline to fix)

11) Bottom line

To check whether an online platform is legal in the Philippines, don’t stop at “it has a registration” or “it’s downloadable in an app store.” The correct approach is:

  • Verify the operator (entity identity, authority to do business, tax/permits)
  • Classify the activity (payments? lending? securities? gambling? regulated goods?)
  • Match licenses to activities (BSP/SEC/PAGCOR/IC/FDA/NTC as applicable)
  • Validate cross-cutting compliance (consumer, privacy, security, advertising, tax, AML)

If you tell me what kind of platform you mean (e.g., marketplace, wallet, lending app, investment/copy-trading app, online casino, content subscription app), I can apply this framework to that model and produce a focused Philippines-specific legality checklist and risk map for it.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login